Use safe_attributes for user preferences.

git-svn-id: http://svn.redmine.org/redmine/trunk@15688 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 9f4aff85eabf4d26793ef9445ae0df36c868267e..0dc1e9811ab91eabf76d7f6720e4fa70c8755b9a 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -123,7 +123,7 @@ class AccountController < ApplicationController
       user_params = params[:user] || {}
       @user = User.new
       @user.safe_attributes = user_params
-      @user.pref.attributes = params[:pref] if params[:pref]
+      @user.pref.safe_attributes = params[:pref]
       @user.admin = false
       @user.register
       if session[:auth_source_registration]

diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb
index 6597fb245fec2666b2f1311c02f5f99fc5368320..73ac2222cc30184a14a01c0f99043d8b658d8c51 100644 (file)
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -56,8 +56,8 @@ class MyController < ApplicationController
     @user = User.current
     @pref = @user.pref
     if request.post?
-      @user.safe_attributes = params[:user] if params[:user]
-      @user.pref.attributes = params[:pref] if params[:pref]
+      @user.safe_attributes = params[:user]
+      @user.pref.safe_attributes = params[:pref]
       if @user.save
         @user.pref.save
         set_language_if_valid @user.language

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f9632fe6b648a0b6b0c28173dbfb142b67a2466e..bf8152b9916d74c31b79fac53e70253ecf04a923 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -90,7 +90,7 @@ class UsersController < ApplicationController
     @user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false)
     @user.safe_attributes = params[:user]
     @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id
-    @user.pref.attributes = params[:pref] if params[:pref]
+    @user.pref.safe_attributes = params[:pref]
 
     if @user.save
       Mailer.account_information(@user, @user.password).deliver if params[:send_information]

diff --git a/app/models/user_preference.rb b/app/models/user_preference.rb
index 0fdbfb50809cce1b7f75ca83b8fe9e08864f28e5..52d120c7440c9f238844837615eac8df4ca2539c 100644 (file)
--- a/app/models/user_preference.rb
+++ b/app/models/user_preference.rb
@@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class UserPreference < ActiveRecord::Base
+  include Redmine::SafeAttributes
+
   belongs_to :user
   serialize :others
 
@@ -23,6 +25,12 @@ class UserPreference < ActiveRecord::Base
 
   before_save :set_others_hash
 
+  safe_attributes 'hide_mail',
+    'time_zone',
+    'comments_sorting',
+    'warn_on_leaving_unsaved',
+    'no_self_notified'
+
   def initialize(attributes=nil, *args)
     super
     if new_record? && !(attributes && attributes.key?(:hide_mail))